CVE-2021-47761 Overview
CVE-2021-47761 is a local privilege escalation vulnerability affecting MilleGPG5 version 5.7.2. The vulnerability exists due to insecure file permissions (CWE-276) that allow authenticated users to modify service executable files in the MariaDB bin directory. An attacker with local access can replace the mysqld.exe with a malicious executable, which will execute with SYSTEM privileges when the computer restarts.
Critical Impact
Authenticated local users can escalate privileges to SYSTEM level by replacing the MariaDB service executable, enabling complete system compromise upon restart.
Affected Products
- MilleGPG5 5.7.2
- MariaDB bin directory components bundled with MilleGPG5
- Windows systems running vulnerable MilleGPG5 installations
Discovery Timeline
- 2026-01-15 - CVE CVE-2021-47761 published to NVD
- 2026-01-16 - Last updated in NVD database
Technical Details for CVE-2021-47761
Vulnerability Analysis
This vulnerability stems from improper permission configuration (CWE-276: Incorrect Default Permissions) in the MilleGPG5 application. The MariaDB bin directory installed as part of MilleGPG5 5.7.2 contains overly permissive access controls that allow low-privileged authenticated users to write to the directory and modify executable files.
The core issue is that the mysqld.exe service executable can be replaced by any authenticated user on the system. Since the MariaDB service runs with SYSTEM privileges and automatically starts during system boot, this creates a trivial privilege escalation path. An attacker can substitute the legitimate service binary with a malicious payload, which will then execute with the highest available Windows privileges upon system restart.
Root Cause
The root cause is insecure default file permissions on the MariaDB bin directory where mysqld.exe resides. During installation, MilleGPG5 5.7.2 fails to properly restrict write access to this directory, allowing authenticated users to modify critical service executables that run with elevated privileges.
Attack Vector
The attack vector is local, requiring an authenticated user account on the target system. The exploitation process involves several steps:
- The attacker identifies the MilleGPG5 installation and locates the MariaDB bin directory
- The attacker creates or obtains a malicious executable designed to run with SYSTEM privileges
- The attacker replaces mysqld.exe with the malicious payload
- Upon system restart, the Windows service manager launches the malicious binary as the MariaDB service
- The malicious code executes with SYSTEM-level privileges, providing complete system compromise
This attack requires no special tools beyond filesystem access and basic knowledge of Windows service behavior. Technical details and proof-of-concept information are available through the Exploit-DB #50558 entry.
Detection Methods for CVE-2021-47761
Indicators of Compromise
- Unexpected modifications to mysqld.exe in the MariaDB bin directory
- Hash mismatches for MariaDB service executables compared to known-good baselines
- Unusual processes spawned by the MariaDB service after system restart
- Unauthorized write events to the MilleGPG5 MariaDB bin directory
Detection Strategies
- Implement file integrity monitoring (FIM) on the MariaDB bin directory and all service executables
- Monitor Windows Event Logs for changes to service binary paths (Event ID 7040, 7045)
- Configure endpoint detection rules to alert on executable replacements in service directories
- Establish baseline hashes for legitimate MilleGPG5 binaries and monitor for deviations
Monitoring Recommendations
- Enable detailed auditing on the MilleGPG5 installation directory, specifically write and delete operations
- Monitor service startup events for the MariaDB service to detect anomalous behavior
- Implement process monitoring to identify unexpected child processes spawned by mysqld.exe
- Review access control lists on service directories during regular security assessments
How to Mitigate CVE-2021-47761
Immediate Actions Required
- Audit file permissions on the MariaDB bin directory within MilleGPG5 installations
- Restrict write access to service executable directories to Administrators and SYSTEM only
- Verify the integrity of mysqld.exe by comparing against known-good hashes
- Consider temporarily disabling the MariaDB service if not required for operations
Patch Information
Contact the vendor for updated software or security patches. Refer to the MilleGPG product page for official advisories and updates. No vendor patch information was available in the CVE data at the time of publication.
Workarounds
- Manually correct file permissions on the MariaDB bin directory to restrict write access to privileged accounts only
- Implement application whitelisting to prevent unauthorized executables from running as services
- Deploy file integrity monitoring solutions to detect and alert on unauthorized modifications
- Use Windows Local Security Policy to restrict which users can modify files in service directories
# Windows PowerShell - Restrict permissions on MariaDB bin directory
# Run as Administrator to secure the vulnerable directory
icacls "C:\Program Files\MilleGPG5\MariaDB\bin" /inheritance:r
icacls "C:\Program Files\MilleGPG5\MariaDB\bin" /grant:r "SYSTEM:(OI)(CI)F"
icacls "C:\Program Files\MilleGPG5\MariaDB\bin" /grant:r "Administrators:(OI)(CI)F"
icacls "C:\Program Files\MilleGPG5\MariaDB\bin" /grant:r "Users:(OI)(CI)RX"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
